On ma, 16 maalis 2020, Peter Tselios via FreeIPA-users wrote:
Many thanks Alexander,
Although I have to admit that I miss some basic understanding of what
is the Kerberos PKINIT and what I would like to have it...
That wiki page explains its use. We utilize anonymous PKINIT internally
for Web UI password-based logins, aside from any other use that you
might have for normal PKINIT.
In general, PKINIT is a way to use smartcard (public key) authentication
with Kerberos, where actual authentication is done before Kerberos KDC
authenticates you (hence, it is a pre-authentication method in
Kerberos). A client uses own certificate to mutually authenticate KDC
pretty much like SSL/TLS authentication with client certificates
happens. The result of the mutual authentication is then used to create
a session key for Kerberos ticket granting ticket.
Anonymous PKINIT is a special case where a client identity does not need
to be proved. This corresponds to normal SSL/TLS use for HTTPS
connections where your browser does not need to present own certificate
but validates the server certificate. KDC then issues a ticket granting
ticket for a special Kerberos principal that can only be used
(realistically) to create a FAST channel wrapping. As result, one can
use anonymous PKINIT ticket to encrypt an exchange to authenticate with
2FA in Kerberos.
Both variants of PKINIT require KDC and Kerberos clients to have
knowledge of public key infrastructure: KDC has to own a certificate it
would be presenting to the clients and clients should present own
certificates in case they are trying to prove possession of a particular
Kerberos identity (non-anonymous). This is where certificates for PKINIT
are required. They could be issued by different parties (not neccessary
IPA CA) but there are quite a few requirements to their content,
especially on KDC side.
RFC 4556 defines PKINIT. It also defines special extended key usages
(EKU) for the certificates used in PKINIT exchanges. These EKUs have to
be present in the certificates. Practically, FreeIPA supports several
mechanisms that allow one to avoid use of Kerberos-specific EKUs in
client certificates but KDC certificates must still have them or include
special Kerberos principal fields for IPA KDCs. Those fields are
typically not added by external CAs, you have to handle that explicitly,
so for internal use we also issue PKINIT KDC certs for non-integrated CA
case. The caveat is that these certs are only trusted by IPA Web UI as
they are issued by the local certmonger on IPA KDCs. But if integrated
CA is used or external CA has provided correct PKINIT KDC certs, those
are used instead.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland